PATCHES: On enabling read ACLs on LDAP searches for 4.0
Andrew Bartlett
abartlet at samba.org
Thu Dec 6 17:45:34 MST 2012
On Thu, 2012-12-06 at 22:00 +0100, Stefan (metze) Metzmacher wrote:
> Am 06.12.2012 16:40, schrieb Stefan (metze) Metzmacher:
> > Am 06.12.2012 07:20, schrieb Andrew Bartlett:
> >> On Sun, 2012-11-25 at 23:39 +0100, Stefan (metze) Metzmacher wrote:
> >>> Hi,
> >>>
> >>> I've some patches which fix several bugs:
> >>>
> >>> Read ACL are not enabled by default on DS
> >>> https://bugzilla.samba.org/show_bug.cgi?id=8620
> >>>
> >>> ACL module: support the tree delete right
> >>> https://bugzilla.samba.org/show_bug.cgi?id=7711
> >>>
> >>> ACL are not recalculated if parent is changed and inherit is enabled
> >>> https://bugzilla.samba.org/show_bug.cgi?id=8621
> >>>
> >>> The branch is available here:
> >>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
> >>>
> >>> The only patch which lets take autobuild later (by about 20 mins)
> >>> is the last one:
> >>> s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for
> >>> replicated changes
> >>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ddd27d2b15a0b7e72abeeb4a259d83691d14abd6
> >>>
> >>> I'll try to debug why it slows down make test tomorrow.
> >>>
> >>> But the important thing is that
> >>> s4:dsdb/acl_read: enable acl checking on search by default
> >>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=39b425ac31a4497c162ffb29ccc92dbca95def69
> >>> doesn't cause a slow down.
> >>>
> >>> Please have a look at this important fixes, it would be good to get some
> >>> additional testing.
> >>
> >> The result of that testing isn't positive, I'm sorry to say. I'm back
> >> from my time away, and I've run a wintest on current master.
> >>
> >> Now, wintest isn't the most reliable of beasts (frankly, it's a royal
> >> pain, only surpassed by the pain of doing this totally manually), but
> >> I'm confident that the attached error message indicates an ACL issue.
> >>
> >> Additionally, a wintest with 'acl:search=false' set passes that step.
> >>
> >> Given this, and if the separate issue of MMC crashing is also related,
> >> we may have no choice but to revert the default here, given the
> >> timeframe :-(
> >
> > I found the problem regarding the MMC crashing,
> > the problem was that the acl_read module filtered the nTSecurityDescriptor
> > too much.
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=9470
> > Can you try again with attached patches?
>
> Updated patches are in
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
> They might not fix MMC but they fix some important bugs, but need some
> more testing
> as I don't understand the dirsync stuff...
Can you try some of this locally? The error is changed, but still fails
(on the RODC in this case).
I can still try running this for new patches, but the DNS registration
is flaky and so it's very time-consuming to re-run. (But at least it
keeps doing the same steps, from the same base image each time).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
$ telnet 192.168.122.70 -l 'administrator'
Trying 192.168.122.70...
Connected to 192.168.122.70.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
password: penguin12#
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>netsh interface ip set dns "Local Area Connection" static 192.168.122.2 primary
netsh interface ip set dns "Local Area Connection" static 192.168.122.2 primary
C:\Users\Administrator>route add 0.0.0.0 mask 0.0.0.0 192.168.122.1
route add 0.0.0.0 mask 0.0.0.0 192.168.122.1
The route addition failed: The object already exists.
C:\Users\Administrator>copy /Y con answers.txt
[DCInstall]
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=s4.howto.abartlet.net
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="s4-howto\Denied RODC Password Replication Group"
PasswordReplicationAllowed="s4-howto\Allowed RODC Password Replication Group"
DelegatedAdmin="s4-howto\Administrator"
SiteName=Default-First-Site-Name
InstallDNS=No
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=s4.howto.abartlet.net
UserName=s4.howto.abartlet.net\administrator
Password=p at ssw0rd
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword=p at ssw0rd
RebootOnCompletion=No
�
copy /Y con answers.txt
[DCInstall]
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=s4.howto.abartlet.net
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="s4-howto\Denied RODC Password Replication Group"
PasswordReplicationAllowed="s4-howto\Allowed RODC Password Replication Group"
DelegatedAdmin="s4-howto\Administrator"
SiteName=Default-First-Site-Name
InstallDNS=No
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=s4.howto.abartlet.net
UserName=s4.howto.abartlet.net\administrator
Password=p at ssw0rd
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword=p at ssw0rd
RebootOnCompletion=No
�
1 file(s) copied.
C:\Users\Administrator>C:\Users\Administrator>dcpromo /answer:answers.txt
dcpromo /answer:answers.txt
Checking if Active Directory Domain Services binaries are installed...
Active Directory Domain Services Setup
Validating environment and parameters...
Failed to examine the Active Directory forest. The error was: ldap_search() failed, err=1
00002020: schema: metadata tdb not initialized at ../source4/dsdb/samdb/ldb_modules/schema_load.c:117
C:\Users\Administrator>echo off
echo START DCPROMO log
more c:\windows\debug\dcpromoui.log
echo END DCPROMO log
echo off
echo START DCPROMO log
START DCPROMO log
more c:\windows\debug\dcpromoui.log
dcpromoui 3B8.7DC 0000 11:52:57.393 opening log file C:\Windows\debug\dcpromoui.log
dcpromoui 3B8.7DC 0001 11:52:57.393 C:\Windows\system32\dcpromo.exe
dcpromoui 3B8.7DC 0002 11:52:57.393 file timestamp 07/14/2009 12:39:02.901
dcpromoui 3B8.7DC 0003 11:52:57.393 local time 02/21/2012 11:52:57.393
dcpromoui 3B8.7DC 0004 11:52:57.409 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 3B8.7DC 0005 11:52:57.409 logging flags 0001007C
dcpromoui 3B8.7DC 0006 11:52:57.409 Enter wmain
dcpromoui 3B8.7DC 0007 11:52:57.409 Enter CheckArgs
dcpromoui 3B8.7DC 0008 11:52:57.409 Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 3B8.7DC 0009 11:52:57.409 Detecting WOW64
dcpromoui 3B8.7DC 000A 11:52:57.409 Detecting OS product type
dcpromoui 3B8.7DC 000B 11:52:57.409 Enter CheckIsServerCore
dcpromoui 3B8.7DC 000C 11:52:57.409 It is not on server foundation
dcpromoui 3B8.7DC 000D 11:52:57.409 HRESULT = 0x00000000
dcpromoui 3B8.7DC 000E 11:52:57.409 Enter IsSKUSupported
dcpromoui 3B8.7DC 000F 11:52:57.409 GUI mode: false
dcpromoui 3B8.7DC 0010 11:52:57.409 Create mutex returns 0x0
dcpromoui 3B8.7DC 0011 11:52:57.409 Console mode
dcpromoui 3B8.7DC 0012 11:52:57.409 Enter CheckInstallStates
dcpromoui 3B8.7DC 0013 11:52:57.409 Detecting NetFx3 component install state
dcpromoui 3B8.4F8 0014 11:52:57.409 Enter CbsGetUpdateInstallState
dcpromoui 3B8.4F8 0015 11:52:57.409 The category is 3
dcpromoui 3B8.4F8 0016 11:52:57.409 Enter FindRoleInfo
dcpromoui 3B8.4F8 0017 11:52:57.409 Enter CheckIsServerCore
dcpromoui 3B8.4F8 0018 11:52:57.409 It is not on server foundation
dcpromoui 3B8.4F8 0019 11:52:57.409 HRESULT = 0x00000000
dcpromoui 3B8.4F8 001A 11:52:57.409 Enter GetUpdateName
dcpromoui 3B8.4F8 001B 11:52:57.409 Enter GetPackageName
dcpromoui 3B8.4F8 001C 11:53:00.014 Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 3B8.4F8 001D 11:53:00.045 Enter CbsGetUpdateInstallState
dcpromoui 3B8.4F8 001E 11:53:00.045 package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is NetFx3
dcpromoui 3B8.4F8 001F 11:53:00.872 HRESULT = 0x00000000
dcpromoui 3B8.7DC 0020 11:53:00.872 HRESULT = 0x00000000
dcpromoui 3B8.7DC 0021 11:53:00.872 NetFx3 component install state is 7
dcpromoui 3B8.7DC 0022 11:53:00.872 Detecting DS component install state
dcpromoui 3B8.798 0023 11:53:00.872 Enter CbsGetUpdateInstallState
dcpromoui 3B8.798 0024 11:53:00.872 The category is 0
dcpromoui 3B8.798 0025 11:53:00.872 Enter FindRoleInfo
dcpromoui 3B8.798 0026 11:53:00.872 Enter CheckIsServerCore
dcpromoui 3B8.798 0027 11:53:00.872 It is not on server foundation
dcpromoui 3B8.798 0028 11:53:00.872 HRESULT = 0x00000000
dcpromoui 3B8.798 0029 11:53:00.872 Enter GetUpdateName
dcpromoui 3B8.798 002A 11:53:00.872 Enter GetPackageName
dcpromoui 3B8.798 002B 11:53:01.652 Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 3B8.798 002C 11:53:01.683 Enter CbsGetUpdateInstallState
dcpromoui 3B8.798 002D 11:53:01.683 package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is DirectoryServices-DomainController
dcpromoui 3B8.798 002E 11:53:02.494 HRESULT = 0x00000000
dcpromoui 3B8.7DC 002F 11:53:02.494 HRESULT = 0x00000000
dcpromoui 3B8.7DC 0030 11:53:02.494 DS component install state is 7
dcpromoui 3B8.7DC 0000 11:53:02.510 appending to log file C:\Windows\debug\dcpromoui.log
dcpromoui 3B8.7DC 0001 11:53:02.510 C:\Windows\system32\dcpromo.exe
dcpromoui 3B8.7DC 0002 11:53:02.510 file timestamp 07/14/2009 12:39:02.901
dcpromoui 3B8.7DC 0003 11:53:02.510 C:\Windows\system32\dcpromocmd.dll
dcpromoui 3B8.7DC 0004 11:53:02.510 file timestamp 11/21/2010 00:26:03.122
dcpromoui 3B8.7DC 0005 11:53:02.510 local time 02/21/2012 11:53:02.510
dcpromoui 3B8.7DC 0006 11:53:02.510 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 3B8.7DC 0007 11:53:02.510 logging flags 0011007C
dcpromoui 3B8.7DC 0008 11:53:02.510 Enter DCPromoEntryW
dcpromoui 3B8.7DC 0009 11:53:02.510 Enter Computer::RemoveLeadingBackslashes
dcpromoui 3B8.7DC 000A 11:53:02.510 Enter Computer::Refresh
dcpromoui 3B8.7DC 000B 11:53:02.510 Enter IsLocalComputer
dcpromoui 3B8.7DC 000C 11:53:02.510 Enter RefreshLocalInformation
dcpromoui 3B8.7DC 000D 11:53:02.510 Enter GetProductTypeFromRegistry
dcpromoui 3B8.7DC 000E 11:53:02.510 Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 3B8.7DC 000F 11:53:02.510 Enter RegistryKey::GetValue-String ProductType
dcpromoui 3B8.7DC 0010 11:53:02.510 ServerNT
dcpromoui 3B8.7DC 0011 11:53:02.510 prodtype : 0x3
dcpromoui 3B8.7DC 0012 11:53:02.510 Enter GetSafebootOption
dcpromoui 3B8.7DC 0013 11:53:02.510 Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 3B8.7DC 0014 11:53:02.510 HRESULT = 0x80070002
dcpromoui 3B8.7DC 0015 11:53:02.510 returning : 0x0
dcpromoui 3B8.7DC 0016 11:53:02.510 Enter DetermineRoleAndMembership
dcpromoui 3B8.7DC 0017 11:53:02.510 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 3B8.7DC 0018 11:53:02.510 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 3B8.7DC 0019 11:53:02.510 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 3B8.7DC 001A 11:53:02.510 lpServer : (null)
dcpromoui 3B8.7DC 001B 11:53:02.510 InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 3B8.7DC 001C 11:53:02.510 HRESULT = 0x00000000
dcpromoui 3B8.7DC 001D 11:53:02.510 MachineRole : 0x2
dcpromoui 3B8.7DC 001E 11:53:02.510 Flags : 0x0
dcpromoui 3B8.7DC 001F 11:53:02.510 DomainNameFlat : WORKGROUP
dcpromoui 3B8.7DC 0020 11:53:02.510 DomainNameDns : (null)
dcpromoui 3B8.7DC 0021 11:53:02.510 DomainForestName : (null)
dcpromoui 3B8.7DC 0022 11:53:02.510 Enter IsDcInRepairMode
dcpromoui 3B8.7DC 0023 11:53:02.510 HRESULT = 0x00000000
dcpromoui 3B8.7DC 0024 11:53:02.510 Enter State::DetermineRunContext
dcpromoui 3B8.7DC 0025 11:53:02.510 Enter DS::GetPriorServerRole
dcpromoui 3B8.7DC 0026 11:53:02.510 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 3B8.7DC 0027 11:53:02.510 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 3B8.7DC 0028 11:53:02.510 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 3B8.7DC 0029 11:53:02.510 lpServer : (null)
dcpromoui 3B8.7DC 002A 11:53:02.510 InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 3B8.7DC 002B 11:53:02.510 HRESULT = 0x00000000
dcpromoui 3B8.7DC 002C 11:53:02.510 OperationState : 0
dcpromoui 3B8.7DC 002D 11:53:02.510 PreviousServerState : 0
dcpromoui 3B8.7DC 002E 11:53:02.510 Enter Computer::GetNetbiosName
dcpromoui 3B8.7DC 002F 11:53:02.510 WIN2008R2-6
dcpromoui 3B8.7DC 0030 11:53:02.510 Enter Computer::GetRole WIN2008R2-6
dcpromoui 3B8.7DC 0031 11:53:02.510 role: 2
dcpromoui 3B8.7DC 0032 11:53:02.510 NT5_STANDALONE_SERVER
dcpromoui 3B8.7DC 0033 11:53:02.510 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 3B8.7DC 0034 11:53:02.510 Enter State::ProcessCmdLineOnlyArgs
dcpromoui 3B8.7DC 0035 11:53:02.510 Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 3B8.7DC 0036 11:53:02.510 Enter State::DetermineArgumentSpec
dcpromoui 3B8.7DC 0037 11:53:02.510 Enter State::GetMode NORMAL
dcpromoui 3B8.7DC 0038 11:53:02.510 Enter State::GetOperation NONE
dcpromoui 3B8.7DC 0039 11:53:02.510 Enter ValidateArgs
dcpromoui 3B8.7DC 003A 11:53:02.510 found no additional commandline options
dcpromoui 3B8.7DC 003B 11:53:02.510 Enter State::SetupAnswerFile answers.txt
echo END DCPROMO log
dcpromoui 3B8.7DC 003C 11:53:02.510 Enter FS::NormalizePath answers.txt
dcpromoui 3B8.7DC 003D 11:53:02.510 answerfile resolved to: C:\Users\Administrator\answers.txt
dcpromoui 3B8.7DC 003E 11:53:02.510 Enter FS::GetPathSyntax C:\Users\Administrator\answers.txt
dcpromoui 3B8.7DC 003F 11:53:02.510 true
dcpromoui 3B8.7DC 0040 11:53:02.510 answerfile found
dcpromoui 3B8.7DC 0041 11:53:02.510 answerfile will be considered for unattend settings
dcpromoui 3B8.7DC 0042 11:53:02.510 Enter GetAllKeys
dcpromoui 3B8.7DC 0043 11:53:02.510 Key: ReplicaOrNewDomain
dcpromoui 3B8.7DC 0044 11:53:02.510 Key: ReplicaDomainDNSName
dcpromoui 3B8.7DC 0045 11:53:02.510 Key: PasswordReplicationDenied
dcpromoui 3B8.7DC 0046 11:53:02.510 Key: PasswordReplicationDenied
dcpromoui 3B8.7DC 0047 11:53:02.510 Key: PasswordReplicationDenied
dcpromoui 3B8.7DC 0048 11:53:02.510 Key: PasswordReplicationDenied
dcpromoui 3B8.7DC 0049 11:53:02.510 Key: PasswordReplicationDenied
dcpromoui 3B8.7DC 004A 11:53:02.510 Key: PasswordReplicationAllowed
dcpromoui 3B8.7DC 004B 11:53:02.510 Key: DelegatedAdmin
dcpromoui 3B8.7DC 004C 11:53:02.510 Key: SiteName
dcpromoui 3B8.7DC 004D 11:53:02.510 Key: InstallDNS
dcpromoui 3B8.7DC 004E 11:53:02.510 Key: ConfirmGc
dcpromoui 3B8.7DC 004F 11:53:02.510 Key: CreateDNSDelegation
dcpromoui 3B8.7DC 0050 11:53:02.510 Key: UserDomain
dcpromoui 3B8.7DC 0051 11:53:02.510 Key: UserName
dcpromoui 3B8.7DC 0052 11:53:02.510 Key: Password
dcpromoui 3B8.7DC 0053 11:53:02.510 Key: DatabasePath
dcpromoui 3B8.7DC 0054 11:53:02.510 Key: LCleaning up ...
restoring /etc/resolv.conf
$ mv -f /etc/resolv.conf.wintest-bak /etc/resolv.conf
Traceback (most recent call last):
File "./wintest/test-s4-howto.py", line 711, in <module>
test_howto(t)
File "./wintest/test-s4-howto.py", line 631, in test_howto
run_dcpromo_rodc(t, "W2K8R2C")
File "./wintest/test-s4-howto.py", line 343, in run_dcpromo_rodc
raise Exception("dcpromo failed")
Exception: dcpromo failed
More information about the samba-technical
mailing list